Cisco ASA 5505 Configuration Manual page 1283

Chapter 63 Configuring IKE, Load Balancing, and NAC
Key ID
Automatic
Disabling Inbound Aggressive Mode Connections
Phase 1 IKE negotiations can use either Main mode or Aggressive mode. Both provide the same services,
but Aggressive mode requires only two exchanges between the peers, rather than three. Aggressive mode
is faster, but does not provide identity protection for the communicating parties. It is therefore necessary
that they exchange identification information prior to establishing a secure SA in which to encrypt in
formation. This feature is disabled by default.
Alerting Peers Before Disconnecting
Client or LAN-to-LAN sessions may be dropped for several reasons, such as: a adaptive security
appliance shutdown or reboot, session idle timeout, maximum connection time exceeded, or
administrator cut-off.
The adaptive security appliance can notify qualified peers (in LAN-to-LAN configurations), VPN
Clients and VPN 3002 hardware clients of sessions that are about to be disconnected, and it conveys to
them the reason. The peer or client receiving the alert decodes the reason and displays it in the event log
or in a pop-up pane. This feature is disabled by default.
This pane lets you enable the feature so that the adaptive security appliance sends these alerts, and
conveys the reason for the disconnect.
Qualified clients and peers include the following:
• Security appliances with Alerts enabled.
VPN clients running 4.0 or later software (no configuration required).
•
VPN 3002 hardware clients running 4.0 or later software, and with Alerts enabled.
•
VPN 3000 concentrators running 4.0 or later software, with Alerts enabled.
•
Waiting for Active Sessions to Terminate Prior to Reboot
You can schedule a adaptive security appliance reboot to occur only when all active sessions have
terminated voluntarily. This feature is disabled by default.
Fields
Enable IKE—Shows IKE status for all configured interfaces.
•
–
–
–
NAT Transparency—Lets you enable or disable IPsec over NAT-T and IPsec over TCP.
•
–
–
–
OL-20339-01
Uses the string the remote peer uses to look up the preshared key.
Determines IKE negotiation by connection type:
• IP address for preshared key
• Cert DN for certificate authentication.
Interface—Displays names of all configured adaptive security appliance interfaces.
IKE Enabled—Shows whether IKE is enabled for each configured interface.
Enable/Disables—Click to enable or disable IKE for the highlighted interface.
Enable IPsec over NAT-T—Choose to enable IPsec over NAT-T.
NAT Keepalive—Type the number of seconds that can elapse with no traffic before the adaptive
security appliance terminates the NAT-T session. The default is 20 seconds. The range is 10 to
3600 seconds (one hour).
Enable IPsec over TCP—Choose to enable IPsec over TCP.
Cisco ASA 5500 Series Configuration Guide using ASDM
Setting IKE Parameters
63-3